Wiseguys Plead Guilty in Ticketmaster Captcha Case

Three operators of a ticket-scalping agency have pleaded guilty to charges that they illegally used computer scripts to bypass Captcha — the squiggly letters and numbers websites display to prove a visitor is human — and automatically purchase thousands of tickets from Ticketmaster and other vendors to resell them.

Kenneth Lowson, 41, Kristofer Kirsch, 37, who owned and operated Wiseguy Tickets, pleaded guilty on Thursday in New Jersey to one count of conspiracy to commit wire fraud and hacking. Joel Stevenson, 37, who earned $150,000 as the outfit’s chief computer programmer and system administrator, also pleaded guilty to one count of hacking. A fourth defendant, Faisal Nadhi, the outfit’s chief financial officer, has not been apprehended.

Lowson and Kirsch face a maximum sentence of five years in prison and a $250,000 fine. Stevenson faces a maximum sentence of one year in prison and a $100,000 fine. Lowson agreed to surrender more than $1.2 million in proceeds from the crimes. Sentencing for all three defendants is set for March 15, 2011.

The defendants were indicted last March for an elaborate scheme that used a network of bots and other deceptive means to bypass Captcha and grab more than 1 million tickets for concerts and sporting events. They were able to impersonate thousands of individual ticket buyers, defeating the security and fraud measures that online ticket vendors such as Ticketmaster, Musictoday and Tickets.com put in place to thwart automated ticket buying.

According to prosecutors, they made more than $25 million in profits from the resale of the tickets between 2002 and 2009.

In bringing charges, prosecutors pushed the envelope on the federal computer-hacking law by asserting that bypassing Captcha constituted unauthorized access of ticket-seller servers, according to policy groups who filed an amicus brief in the case to back the defendant’s motion to have the charges dismissed.

The Electronic Frontier Foundation, the Center for Democracy and Technology and other advocates said the case threatened to turn what was essentially a contractual dispute into a criminal case and could set a dangerous precedent — potentially making a felon of anyone who violated a site’s terms-of-service.

“Under the government’s theory, anyone who disregards — or doesn’t read — the terms of service on any website could face computer crime charges,” said EFF civil liberties director Jennifer Granick in a press release at the time. “Price-comparison services, social network aggregators and users who skim a few years off their ages could all be criminals if the government prevails.”

“The Court is satisfied that the indictment sufficiently alleges the elements of unauthorized access and exceeding authorized access under the CFAA, and sufficiently alleges conduct demonstrating defendants’ knowledge and intent to gain unauthorized access,” Judge Hayden wrote in her decision.

According to the indictment, Stevenson created code used to purchase the tickets and also oversaw a team of other programmers based in the United States and Bulgaria. The ring used two shell companies called Smaug and Platinum Technologies to purchase IP blocks and rent servers to conduct the attacks.

Wiseguy often obtained so many premium tickets for an event that it was the leading source for the best tickets to some of the most popular venues, according to prosecutors. They purchased tickets to Miley Cyrus, Barbra Streisand, Bon Jovi and Bruce Springsteen concerts, as well as tickets to the Rose Bowl football game in 2006 and the 2007 Major League Baseball playoffs at Yankee Stadium.

Lowson allegedly boasted to one of his contractors in 2005 that Wiseguy had purchased 882 out of 1,000 Rose Bowl tickets that had gone on sale for the 2006 championship football game. In 2007, the owners offered employees a 100 percent salary bonus if the company met a goal of purchasing 1 million tickets of a certain value, authorities said.

In 2007, they thwarted a ticket lottery set up to purchase tickets to the New York Yankee playoffs. The lottery limited purchases to two tickets per person, but Wiseguy was able to purchase 1,924 tickets worth about $159,000, authorities said.

To prevent bots from purchasing tickets in bulk, online ticket vendors use CAPTCHA challenges and Proof of Work software that is designed to detect and slow down computers attempting to purchase large numbers of tickets. Online vendors also block IP addresses used to make bulk purchases.

According to the indictment, Lowson and Kirsch interviewed former employees of online ticket vendors to determine what measures they took to thwart automated buying and also obtained source code, in some cases through hacking. They then advertised for programmers who could bypass Captcha challenges to get to the purchase page and figure out ways to defeat ticket queues to land coveted spots at the front of the line.

The perpetrators’ bots monitored ticket websites and sprang into action the minute tickets went on sale, opening thousands of internet connections simultaneously, defeating both visual Captchas and audio Captchas used for visually impaired customers. The bots also filled out purchase pages with customer credit card information and fake e-mail addresses.

Ticketmaster used various means to try to thwart Wiseguy’s operation, at one point switching to a service called reCaptcha, which is also used by Facebook. It’s a third-party Captcha that feeds a Captcha challenge to a site’s visitors. When a customer tries to purchase tickets, Ticketmaster’s network sends a unique code to reCaptcha, which then transmits a Captcha challenge to the customer.

But the defendants allegedly were able to thwart this, as well. They wrote a script that impersonated users trying to access Facebook, and downloaded hundreds of thousands of possible Captcha challenges from reCaptcha, prosecutors maintained. They identified the file ID of each Captcha challenge and created a database of Captcha “answers” to correspond to each ID. The bot would then identify the file ID of a challenge at Ticketmaster and feed back the corresponding answer. The bot also mimicked human behavior by occasionally making mistakes in typing the answer, authorities said.

The perpetrators took orders from ticket brokers, who were required to provide credit card numbers and account holder names in advance of a purchase so they could be programmed into the bot. Once the account holders received the tickets, they’d send them to Wiseguy, which would refund their credit card account. Wiseguy also had a bank of about 1,000 phone numbers that the bot submitted as customer contact numbers.

The bot would seize a block of prize seats, from which Wiseguy employees would cull the best for clients, then release unwanted seats back to the system. A legitimate ticket buyer who tried to purchase the same seats during this time might find them unavailable one minute, then available the next minute.